I just found out that a user had a weak password and it was broken. How do i trace what a user been doing?
Only see brief info in .bash_history (below)
Any help at all is welcome, ive changed password and deleted the 2 directorys ive found.
Not a single hit on robotbsd in google makes me a bit worried.

you can "watch" your box's actual network traffic to see who's NOW talking to you and with whom your talking to. If you cannot account for the sessions you see, then you are OPERATING as compromised host.

The very nature of an IM/IRC "bot" would suggest that you're going to see lots and lots of sessions.

In the bash history, where you see

Code:

./a 21.21

are obfuscated and powerful system calls, where the hacker knows what 21.21 is.

/S

__________________Never argue with an idiot. They will bring you down to their level and beat you with experience.

The Hungarian link is still functional, so go get wtf.tgz. It's a real script kiddy's toolkit. There's even word dictionaries. It also has the a shell script that was copied to the compromised account's directory. It may help you trace any changes made.

For the next time (I truly hope there won't be any), please enforce strict password policies, like setting minimum length, with both low and uppercase alphanumeric sets.

And check the handbook, part III (System Administration), especially chapters 13 to 17. There are many good security tips.

Ah sorry for that. I KNEW I was in the OpenBSD section and yet I was still thinking about the FreeBSD handbook.

However, most topics there are common to both systems (and many others), some are general tips that can apply to any situation and some provide general information about the use and configuration of third-party software or software common to both systems.